[Snort-devel] database plugin patch

Joe McAlerney joey at ...60...
Wed Aug 29 13:29:50 EDT 2001


Hello,

Jimmy Staggs found a bug in the database plugin.  SID's were being
wrongly assigned for signatures with like msg strings.  I threw a patch
together which fixes the problem.

-Joe M.

-- 
|   Joe McAlerney     joey at ...63...   |
| Silicon Defense - Technical Support for Snort |
|       http://www.silicondefense.com/          |
+--                                           --+
-------------- next part --------------
--- ./spo_database.c.old	Wed Aug 29 09:58:33 2001
+++ ./spo_database.c	Wed Aug 29 09:58:21 2001
@@ -615,14 +615,37 @@
         */
        select0 = (char *) malloc (MAX_QUERY_LENGTH+1);
        if ( event->sig_rev == 0 ) 
-          snprintf(select0, MAX_QUERY_LENGTH, 
-                   "SELECT sig_id FROM signature WHERE sig_name = '%s' AND"
-                   " sig_rev is NULL", msg);
+       {
+ 	  if( event->sig_id == 0) 
+          {
+             snprintf(select0, MAX_QUERY_LENGTH, 
+                      "SELECT sig_id FROM signature WHERE sig_name = '%s' AND"
+                      " sig_rev is NULL AND sig_sid is NULL ", msg);
+          }
+          else 
+          {
+             snprintf(select0, MAX_QUERY_LENGTH, 
+                      "SELECT sig_id FROM signature WHERE sig_name = '%s' AND"
+                      " sig_rev is NULL AND sig_sid = %u ", msg, event->sig_id);
+          }
+       }
        else
-          snprintf(select0, MAX_QUERY_LENGTH,
-                   "SELECT sig_id FROM signature WHERE sig_name = '%s' AND "
-                   " sig_rev = %u ",
-                   msg, event->sig_rev);
+       {
+ 	  if( event->sig_id == 0)
+	  {
+             snprintf(select0, MAX_QUERY_LENGTH,
+                      "SELECT sig_id FROM signature WHERE sig_name = '%s' AND "
+                      " sig_rev = %u AND sig_sid is NULL ",
+                      msg, event->sig_rev);
+          }
+          else
+	  {
+             snprintf(select0, MAX_QUERY_LENGTH,
+                      "SELECT sig_id FROM signature WHERE sig_name = '%s' AND "
+                      " sig_rev = %u AND sig_sid = %u ",
+                      msg, event->sig_rev, event->sig_id);
+          }
+       }
 
        sig_id = Select(select0, data);
 


More information about the Snort-devel mailing list